I would like to reach out to the community in order to find out if anyone out there is able to assist me with the following: How can one detect anonymous proxy traffic such as The Onion Router (TOR). Being that now in days TOR utilizes HTTP (SSL encryption) and Intrusion Detection Systems (IDS) are blind to the traffic since it is obfuscated, then what would be the best method for detecting network traffic of users that are utilizing this to connect to proxies to browse the internet and be anonymous?

The issue is not only users will browse the internet and possibly download Malware but another great concern is that anyone can set up their own TOR proxy and as the traffic gets decrypted at that proxy, the admin for that proxy could potentially perform a man-in-the-middle attack and intercept that data or take over the section as the user. Now the end user not only is putting in jeopardy the security of the company but also themselves if they are logging into their bank accounts, personal emails, etc..

My main concern is that there is no way you can obtain an accurate active list of TOR proxy servers since anyone at anytime can set one up and the only resolution I can think of is by somehow filtering out 443 data and then perform a Whois on the external destination IP’s and determine if they do not have a business need to visit it then we can block anyone going to that external IP, investigate the system for the possibility of TOR application running on the system and remove it.

Going this direction would create a tremendous amount of work that will result in potentially missing legitimate network intrusions, call backs to malicious known sites, etc... I hope that those of you that currently have something in place for this will share your solution and for those that don’t have this problem but have ideas would share them.

I've found most of the our users using TOR, either while fixing a problem on their computer, or by viewing the firewall logs.

While the list of proxy servers change, the boxes that provide those lists don't change as often. So blocking them, prevents users from getting updated lists.

When I have a working syslog server at work collecting the firewall logs (they're worth having, just don't have the hardware right now after our move) you can grep the logs for that information, and use either the firewall, or internal proxy to block those sites. You don't have to be perfect in the case of blocking, users will stop using it when they find it's not very reliable.

Since you're talking about blocking this traffic from work, you might want to talk to upper management about about updating the acceptable use policy, with teeth behind it when it's broken. Example: There used to be a problem with something at work. When management started walking people out the door for doing it, people stopped.

As for finding it installed on people's computers, I'm assuming a windows environment. You can write a script that (if it has domain admin privileges) list the contents of c:\program files. I've done something similar with Perl looking for multimedia files on peoples user shares.

Those are great suggestions. We do have an acceptable use policy, perform regular scans in order to identify unauthorized software (remember that if you have an add-on in Firefox a vulnerability/pen test/patch management scan wont identify the add-ons such as a Tor one) and some users can connect their personal laptops and obtain an IP since there is DHCP enable.

We have already tried to push the issue about implementing a static IP environment, leave without pay for employees that are found to have the software and bring personal laptops, etc... But the fact is that at this time none of that will change since we have already brought up a lot of good suggestions, cases to prove our point and a very good presentation, but the fact is that nothing will change for at least a year or two, at this time I have been task to identify Tor activity, report users, remove the application and block it at the firewall level.

if you're using cisco switches, you can limit the number mac addresses allowed per port. We've had the same problem with users bringing laptops in.

The static ip addresses don't really help that much. users will find an open ip address and use it. Sometimes it's an open ip address because the box it belongs to is turned off.

As for using the plugins, instead of them installing the programs installing, try looking in:C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\PROFILE\extensions. You'll have to look at all the sub folders in those directories. A nested for loop could work. I looked in my extension directory, and able to find javascript files with the names of the programs.

You'll have to write your own tools to do it, I don't know of any off the shelf that will do that for you (Others might). The benefit, if management agrees, is you get to see what other things the users are installing.

Sorry I can't be more help than what I've suggested. But looking in the 2 locations on their computers, getting a list of the proxy servers, and the ones that contain the lists (blocking at the firewall), the only other thing I can suggest is googling "blocking TOR" (which I did sometime in the last 3 years).

*Edit: Make sure you keep your manager, and maybe director informed of what you're doing. I was lucky, when I was working the security part of my job, my director insisted I report straight to him not my manager, and he covered whatever I needed to do, like writing those scripts. My manager didn't like it, but my Director had my back.

Last edited by rattis on Tue Mar 09, 2010 2:07 pm, edited 1 time in total.

Trust me these are great ideas that you suggested and it gives me a starting point. I’m in the process of compiling a known list of Tor servers, place a block for outgoing traffic and will look into an automatic solution for finding Tor plug-ins, if it comes to developing my own tool then this will be a little bit a new area to me, but as always the best way to learn is when your working in a project. This is why these forums are great it allows other people to give you another set of eyes when trying to figure out a solution.

Thanks again

Last edited by itg33k on Tue Mar 09, 2010 3:09 pm, edited 1 time in total.

KamiCrazy, Isn't there an executable portion for TOR? If you block that, the plug-in would be useless. Either way, a plug-in is still a file. I would have to test it, but I would think you should be able to block that through a GPO.

There is an exe portion to tor, you run the exe and have a plugin for firefox... but you don't have to run the exe on the same computer as the plugin. Nor do you need to run the plugin either really....

Anyways fighting tor is basically an arms race. I think doing things like scanning for their proxy list and such isn't a very good long term strat. Need to fight it closer to the problem.

We're still fighting this at work. I was able to get a lot of the Admin rights taken out of the boxes, but since we scan books, and the scanners the company went with require admin privileges to run (that's how the drivers are set up for them), some users.. Well you get the idea.

chrisj wrote:We're still fighting this at work. I was able to get a lot of the Admin rights taken out of the boxes, but since we scan books, and the scanners the company went with require admin privileges to run (that's how the drivers are set up for them), some users.. Well you get the idea.

Using the Sysinternal's tool Process Explorer, you can find what file system and registry permissions the application/driver needs, and you can grant those to users via Group Policy. It is a PITA, and if there's ever an update or some other change, you often need to go through the process again. Still, it may allow you to revoke admin rights, which could end up causing problems that are even less fun to deal with.